b"                     OFFICE   OF   INSPECTOR GENERAL\n\n\n\n\nAudit Report                                                      2014-IT-C-016\n\n\n\n\n   Audit of the CFPB\xe2\x80\x99s Acquisition and\n    Contract Management of Select\n       Cloud Computing Services\n\n\n\n\n                           September 30, 2014\n\n\n               BOARD OF GOVERNORS OF THE FEDERAL RESERVE SYSTEM\n                    CONSUM ER FIN ANC IAL PR OTEC TION B UR EAU\n\x0cReport Contributors\n  Khalid Hasan, OIG Manager\n  Paul Vaclavik, Auditor in Charge\n  Joshua Dieckert, IT Auditor\n  Peter Sheridan, Senior OIG Manager\n  Andrew Patchan Jr., Associate Inspector General for Information Technology\n\n\nAbbreviations\n   AWS                        Amazon Web Services\n\n   CAT                        Compliance Analysis Toolkit\n\n   CFPB                       Consumer Financial Protection Bureau\n\n   CIGIE                      Council of the Inspectors General on Integrity and Efficiency\n\n   CSP                        cloud service provider\n\n   e-discovery                electronic discovery\n\n   FAR                        Federal Acquisition Regulation\n\n   IaaS                       infrastructure as a service\n\n   IT                         information technology\n\n   NIST                       National Institute of Standards and Technology\n\n   OIG                        Office of Inspector General\n\n   PaaS                       platform as a service\n\n   SaaS                       software as a service\n\n   SLA                        service-level agreement\n\n   Treasury                   U.S. Department of the Treasury\n\x0c                                        Executive Summary:\n                                        Audit of the CFPB\xe2\x80\x99s Acquisition and\n                                        Contract Management of Select\n                                        Cloud Computing Services\n\n2014-IT-C-016                                                                                              September 30, 2014\n\n Purpose                                            Findings\n\n In January 2014, the Council of the                Overall, we found that the CFPB\xe2\x80\x99s contracts for cloud computing services\n Inspectors General on Integrity and                with Amazon.com and Deloitte included roles and responsibilities,\n Efficiency initiated a government-wide             information security requirements, and service-level expectations. We also\n review of select agencies\xe2\x80\x99 efforts to adopt        found that the CFPB has established a process to monitor both contractual\n cloud computing technologies. In support of        and service-level requirements for its CSPs, and that the agency collects and\n this initiative, our objective was to review       maintains nondisclosure agreements from contractor personnel to protect\n the Consumer Financial Protection Bureau\xe2\x80\x99s         sensitive information.\n (CFPB) acquisition and contract\n management for Amazon.com\xe2\x80\x99s Amazon                 We identified opportunities for improvement in the procurement and use of\n Web Services and Deloitte\xe2\x80\x99s Compliance             cloud services. Specifically, we found that when the CFPB began operations\n Analysis Toolkit to determine whether              in July 2011, it used a U.S. Department of the Treasury contract with\n requirements for security, service levels, and     Amazon.com to quickly meet its IT needs. The agency, however, did not\n access to records were planned for, defined        perform its own alternatives and cost analysis at that time. In addition, we\n in contracts, and being monitored.                 found that the CFPB\xe2\x80\x99s cloud computing contracts and service-level\n                                                    agreements with both Amazon.com and Deloitte did not include clauses\n                                                    providing the access needed for electronic discovery and performance of\n Background                                         criminal and noncriminal investigations. We also found that the CFPB\xe2\x80\x99s\n                                                    contract with Deloitte did not include a clause granting the Office of\n Cloud computing refers to a model for              Inspector General the right to examine agency records or detail specific\n delivery of information technology (IT)            penalties or remedies for noncompliance with contract terms and service\n services through on-demand access to a pool        levels.\n of configurable computing resources. Federal\n agencies, including the CFPB, are\n increasingly adopting cloud computing to           Recommendations\n lower IT costs and gain efficiencies.\n                                                    Our report contains four recommendations to assist the CFPB\xe2\x80\x99s Chief\n The CFPB\xe2\x80\x99s strategic plan emphasizes the           Information Officer in strengthening processes for the acquisition and\n need for a flexible, scalable IT infrastructure    contract management of cloud services. Specifically, we recommend that the\n that is capable of meeting current needs and       Chief Information Officer ensure that alternatives and cost analyses are\n sustaining the agency\xe2\x80\x99s future growth. To          conducted, assess the costs and benefits of negotiating post-award\n help achieve this objective, the CFPB has          agreements with Amazon.com and Deloitte to include relevant requirements\n contracted with seven cloud service                and best practices, ensure that agency guidance used to develop contracts\n providers (CSPs), including Amazon.com,            and service-level agreements with CSPs references applicable Federal\n which hosts the agency\xe2\x80\x99s public website, and       Acquisition Regulation and best practice contract clauses, and ensure that\n Deloitte, which provides an application that       future CFPB contracts for cloud computing services include relevant\n allows financial companies that are                requirements and best practice contract clauses. The Chief Information\n supervised by the CFPB to upload loan file         Officer concurred with our recommendations and outlined actions that have\n data for analysis by the agency\xe2\x80\x99s examiners.       been taken or will be implemented to address our recommendations.\n\n\nAccess the full report: http://oig.consumerfinance.gov/reports/cfpb-cloud-computing-services-sep2014.htm\nFor more information, contact the OIG at 202-973-5000 or visit http://oig.consumerfinance.gov.\n\x0cSummary of Recommendations, OIG Report No. 2014-IT-C-016\nRec. no.   Report page no.   Recommendation                                         Responsible office\n    1             5          Ensure that an alternatives and cost analysis is               Office of the\n                             conducted to inform the selection of cloud               Chief Information Officer\n                             computing service providers and models.\n    2             7          Assess the costs and benefits of negotiating post-             Office of the\n                             award agreements with Amazon.com and Deloitte            Chief Information Officer\n                             to include clauses for Inspector General information\n                             access, the conduct of forensic investigations and\n                             electronic discovery, and penalties for\n                             noncompliance with contract and service-level\n                             agreement terms, as appropriate.\n\n    3             7          Ensure that the guidance used to develop contracts             Office of the\n                             and service-level agreements with cloud service          Chief Information Officer\n                             providers references Federal Acquisition\n                             Regulation requirements and best practice contract\n                             clauses for information access, conduct of forensic\n                             investigations and electronic discovery, and\n                             penalties for noncompliance, as appropriate.\n    4             7          Ensure that future CFPB contracts for cloud                    Office of the\n                             computing services include Federal Acquisition           Chief Information Officer\n                             Regulation requirements and best practice clauses\n                             for information access, the conduct of forensic\n                             investigations and electronic discovery, and the\n                             assessment of penalties for noncompliance with\n                             contract and service-level agreement terms.\n\x0cSeptember 30, 2014\n\nMEMORANDUM\n\nTO:             Ashwin Vasan\n                Chief Information Officer\n                Consumer Financial Protection Bureau\n\nFROM:           Andrew Patchan Jr.\n                Associate Inspector General for Information Technology\n\nSUBJECT:        OIG Report No. 2014-IT-C-016: Audit of the CFPB\xe2\x80\x99s Acquisition and Contract\n                Management of Select Cloud Computing Services\n\nThe Office of Inspector General (OIG) has completed its report on the subject audit. In January 2014, the\nCouncil of the Inspectors General on Integrity and Efficiency (CIGIE) initiated a government-wide\nreview of select agencies\xe2\x80\x99 efforts to adopt cloud computing technologies. The CIGIE initiative focused on\nreviewing cloud computing contracts for inclusion of specific clauses and the agencies\xe2\x80\x99 efforts to monitor\nthe performance of cloud service providers. In support of the CIGIE initiative, our objective was to\nreview the Consumer Financial Protection Bureau\xe2\x80\x99s (CFPB) acquisition and contract management for\nAmazon.com\xe2\x80\x99s Amazon Web Services and Deloitte\xe2\x80\x99s Compliance Analysis Toolkit to determine whether\nrequirements for security, service levels, and access to records were appropriately planned for, defined in\ncontracts, and being monitored. We provided CIGIE with responses to a questionnaire it issued to the\nselect agencies\xe2\x80\x99 OIGs under a separate cover. This report includes specific findings and recommendations\ndesigned to assist the CFPB in improving its acquisition and contract management processes associated\nwith cloud service providers.\n\nWe provided a draft of our report to you for review and comment. In your response, included as appendix\nB, you concurred with our recommendations and outlined actions that have been taken, are underway, and\nare planned to address our recommendations.\n\nWe appreciate the cooperation that we received from CFPB personnel during our review. Please contact\nme if you would like to discuss this report or any related issues.\n\ncc:   Sartaj Alag, Chief Operating Officer\n      Stephen Agostini, Chief Financial Officer\n      Zachary Brown, Chief Information Security Officer\n      J. Anthony Ogden, Deputy Inspector General\n      Matthew Simber, OIG Manager for Policy, Planning, and Quality Assurance\n\x0c  Contents\n\n\n\nIntroduction .........................................................................................................1\n\n         Objectives ....................................................................................................1\n         Background ..................................................................................................1\n         Federal Guidance and Best Practices for Acquiring Cloud Computing\n           Services .................................................................................................2\n\nFinding 1: The CFPB\xe2\x80\x99s Business Case for AWS Did Not Include an\nAlternatives and Cost Analysis ..........................................................................4\n\n         Recommendation .........................................................................................5\n         Management\xe2\x80\x99s Response .............................................................................5\n         OIG Comment ..............................................................................................5\n\nFinding 2: Specific Clauses for Information Access and Penalties for\nNoncompliance Were Not Included in CSP Contracts and SLAs ...................6\n\n         Recommendations .......................................................................................7\n         Management\xe2\x80\x99s Response .............................................................................8\n         OIG Comment ..............................................................................................8\n\nAppendix A: Scope and Methodology ...............................................................9\n\nAppendix B: Management\xe2\x80\x99s Response ...........................................................10\n\x0c     Introduction\n\n\n\nObjectives\n\n          In January 2014, the Council of the Inspectors General on Integrity and Efficiency (CIGIE) 1\n          initiated a government-wide review of select agencies\xe2\x80\x99 efforts to adopt cloud computing\n          technologies. The initiative focused on reviewing cloud computing contracts for inclusion of\n          specific clauses and the agencies\xe2\x80\x99 efforts to monitor the performance of cloud service providers\n          (CSPs). In support of the CIGIE initiative, our objective was to review the Consumer Financial\n          Protection Bureau\xe2\x80\x99s (CFPB) acquisition and contract management for Amazon.com\xe2\x80\x99s Amazon\n          Web Services (AWS) and Deloitte\xe2\x80\x99s Compliance Analysis Toolkit (CAT) to determine whether\n          requirements for security, service levels, and access to records were appropriately planned for,\n          defined in contracts, and being monitored. We provided CIGIE with responses to a questionnaire\n          it issued to the select agencies\xe2\x80\x99 OIGs under a separate cover. Appendix A provides our scope and\n          methodology.\n\n\nBackground\n          The National Institute of Standards and Technology (NIST) defines cloud computing as a model\n          for enabling convenient, on-demand network access to a shared pool of configurable computing\n          resources (e.g., networks, servers, storage, applications, and services) that can be rapidly\n          provisioned and released with minimal management effort or service provider interaction. NIST\n          classifies cloud computing capabilities into the following three models:\n\n               1. Software as a service (SaaS) provides the capability to use the CSP\xe2\x80\x99s applications\n                  running on a cloud infrastructure.\n               2. Platform as a service (PaaS) refers to the capability to deploy consumer-created\n                  or -acquired applications that are developed using programming languages and tools\n                  supported by the CSP onto the cloud infrastructure.\n               3. Infrastructure as a service (IaaS) enables provisioning of processing, storage, networks,\n                  and other computing resources where the consumer is able to deploy, run, and control\n                  software applications.2\n\n          Cloud computing offers federal agencies the potential for cost savings through faster deployment\n          of computing resources, a decreased need to buy hardware or build data centers, and enhanced\n          collaboration capabilities. Recognizing these benefits, the Office of Management and Budget\n          issued a Cloud First policy in December 2010, requiring federal agencies to evaluate safe, secure\n          cloud computing options before making new investments in information technology (IT).\n\n\n1.    CIGIE was statutorily established as an independent entity within the executive branch by the Inspector General Reform Act\n      of 2008, P.L. 110-409, to address integrity, economy, and effectiveness issues that transcend individual government\n      agencies.\n\n2.    National Institute of Standards and Technology, Cloud Computing Synopsis and Recommendations, Special Publication\n      800-146, May 2012.\n\n\n\n2014-IT-C-016                                                                                                             1\n\x0c       When it began operations in July 2011, the CFPB relied on the U.S. Department of the Treasury\n       (Treasury) for IT systems and services. As the agency transitions IT systems and services from\n       Treasury, it has increasingly embraced cloud computing as a model to meet its IT needs in a\n       flexible, scalable manner. Specifically, the CFPB has contracted with seven CSPs, including\n       Amazon.com and Deloitte. Amazon.com hosts the CFPB\xe2\x80\x99s public website and provides\n       infrastructure for the agency\xe2\x80\x99s software development efforts through AWS. Deloitte provides the\n       agency\xe2\x80\x99s CAT, which is an application that allows financial companies that are supervised by the\n       CFPB to upload loan file data for analysis by the agency\xe2\x80\x99s examiners. As highlighted in table 1,\n       the CFPB also uses cloud computing solutions for automated litigation support and for contact\n       center services. As of June 2014, the CFPB\xe2\x80\x99s cloud computing contracts were valued at\n       approximately $185 million.\n\n\n       Table 1: Summary of Cloud Computing Technologies Used by the CFPB\n                                                                   Type of     Total             Contract\n                                                                                                                  Contract\n        CSP              Cloud service description                 cloud       contract          initiation\n                                                                                                                  length\n                                                                   service     value             date\n       General              Contact center support and\n                                                                    SaaS      $131,000,000       06/08/2011        5 years\n       Dynamics                      services\n                           CAT, analytical services, and\n       Deloitte                                                     SaaS        $25,000,000      05/29/2012        5 years\n                                     support\n       Treasury                  IT shared services                 PaaS        $9,674,580       10/01/2013        1 year\n       Treasury           Financial management services             PaaS        $7,075,604       10/01/2013        1 year\n       Verizon\n                              Data storage/colocation               IaaS        $4,200,000       01/05/2011a      8 months\n       Terremark\n       Amazon.com                    Web hosting                    IaaS        $4,200,000       01/05/2011a      8 months\n       U.S.\n       Department           Automated litigation support            SaaS        $3,997,840       05/12/2012        5 years\n       of Justice\n       Source: Information taken from the CFPB\xe2\x80\x99s responses to the CIGIE cloud computing survey.\n       a\n        The CFPB initially contracted with Verizon Terremark and Amazon.com for cloud services on January 5, 2011. The\n       contract values and lengths reflected in the table are for the most recent contract extensions the CFPB signed with these\n       two companies on January 1, 2014.\n\n\n\n\nFederal Guidance and Best Practices for Acquiring Cloud Computing\nServices\n       Compared to traditional IT contracts, procuring cloud computing services presents agencies with\n       unique and differing risks to manage. For instance, CSPs may store data across multiple facilities\n       across the world. Thus, federal agencies must carefully consider who may have access to data and\n       under what circumstances. To ensure that federal agencies are procuring cloud services in\n       accordance with existing regulations and laws, the Chief Information Officers Council and the\n       Chief Acquisition Officers Council issued guidance on February 24, 2012, for creating effective\n\n\n\n\n2014-IT-C-016                                                                                                              2\n\x0c        cloud computing contracts for the federal government.3 This guidance highlights the importance\n        of clearly defining in contracts roles and responsibilities between the CSP and the agency,\n        particularly with respect to information access. The guidance also recommends that agencies\n        establish service-level expectations and monitor CSP compliance, ensure control of federal data\n        through completion of nondisclosure agreements, and include clauses in contracts or agreements\n        outlining procedures for conducting forensic investigations and electronic discovery\n        (e-discovery).\n\n        Guidance issued by NIST on cloud computing and procurement of IT services also provides best\n        practices that agencies may consider when acquiring cloud services. For instance, NIST Special\n        Publication 800-146, Cloud Computing Synopsis and Recommendations, May 2012, notes that an\n        agency should develop a business case for moving to the cloud that considers the readiness of\n        existing applications for cloud deployment, transition and life cycle costs, and security and\n        privacy requirements. Further, NIST Special Publication 800-35, Guide to Information\n        Technology Security Services, October 2002, presents factors for agencies to consider when\n        selecting, implementing, and managing IT security services and providers. These factors can also\n        apply to the procurement of cloud services and include consideration of viable alternatives,\n        development of cost estimates, and formalization of service-level agreements (SLAs) with\n        specific clauses and terms unique to each organization.\n\n\n\n\n3\n    The Chief Information Officers Council was established in July 1996 by Executive Order 13011, Federal Information\n    Technology, with the mission to improve practices related to the design, acquisition, development, use, sharing, and\n    performance of federal government information resources. The Chief Acquisition Officers Council was established in 1999,\n    pursuant to section 16 of the Office of Federal Procurement Policy Act, and it seeks to promote effective business practices\n    that ensure the timely delivery of products and services to agencies, achieve public policy objectives, and further openness\n    in the federal acquisition system.\n\n\n\n2014-IT-C-016                                                                                                             3\n\x0c Finding 1: The CFPB\xe2\x80\x99s Business Case for AWS Did Not\n Include an Alternatives and Cost Analysis\n\n\n       As part of planning to acquire cloud services, NIST Special Publication 800-146 states that\n       agencies should develop a business case that considers the readiness of existing applications for\n       cloud deployment, transition and life cycle costs, and security and privacy requirements. In\n       addition, NIST Special Publication 800-35 details an IT security services life cycle that provides\n       a framework for use in selecting, implementing, and managing IT security services, including\n       cloud computing services. Figure 1 details NIST\xe2\x80\x99s IT security services life cycle. The solution\n       phase involves the development of a business case in order to identify the best solution to produce\n       the desired future state. Specifically, the business case should include consideration of viable\n       alternatives, formation of cost estimates, and completion of an organizational risk analysis. In\n       accordance with this life cycle approach, the CFPB is in the process of strengthening its IT capital\n       planning program to guide the selection, evaluation, and control of its IT investments. As part of\n       this program, the CFPB has created an Investment Review Board designed to review the agency\xe2\x80\x99s\n       business cases for IT investment decisions.\n\n\n                Figure 1: IT Security Services Life Cycle\n\n\n\n\n                Source: NIST SP 800-35, Guide to Information Technology Security Services\n\n\n\n       We found that although a business case analysis was completed to guide the CFPB\xe2\x80\x99s acquisition\n       of CAT, the alternatives and cost savings analysis part of the business case analysis for the AWS\n       cloud computing environment was not completed. An alternatives and cost savings analysis was\n       not completed for the AWS contract because the CFPB\xe2\x80\x99s current investment review process was\n       not in place when that contract was initially awarded. In addition, CFPB officials informed us that\n       at the time the AWS contract was awarded, the agency had recently been established as an\n\n\n\n2014-IT-C-016                                                                                        4\n\x0c       independent agency and it had to rapidly establish its IT infrastructure to support its needs. As\n       such, the agency utilized an existing Treasury contract with Amazon.com without performing its\n       own alternatives and cost savings analysis.\n\n       The Chief Information Officer stated that as the CFPB continues to transition its IT infrastructure\n       from Treasury, the agency will be evaluating various models, including cloud computing and in-\n       house approaches, to hosting its infrastructure. Completion of a business case for proposed\n       approaches that includes viable alternatives and cost considerations will provide key information\n       to assist CFPB officials in selecting an IT infrastructure solution that best meets the needs of the\n       agency in a cost-effective manner.\n\n\nRecommendation\n       We recommend that the Chief Information Officer\n\n           1. Ensure that an alternatives and cost analysis is conducted to inform the selection of cloud\n              computing service providers and models.\n\n\nManagement\xe2\x80\x99s Response\n\n       The Chief Information Officer concurs with this recommendation and is working to continue to\n       mature the agency\xe2\x80\x99s processes, to include conducting the appropriate reviews during source\n       selection as well as cost-benefit and trade-off analyses.\n\n\n\nOIG Comment\n       In our opinion, the actions described by the Chief Information Officer are responsive to our\n       recommendation. We plan to follow up on the actions to ensure that the recommendation is fully\n       addressed.\n\n\n\n\n2014-IT-C-016                                                                                         5\n\x0cFinding 2: Specific Clauses for Information Access and\nPenalties for Noncompliance Were Not Included\nin CSP Contracts and SLAs\n\n         As shown in figure 1 above, once a business case has been reviewed and a service provider has\n         been selected as part of the solution phase, the implementation phase begins. This phase\n         includes the development of an SLA with specific clauses and terms unique to each\n         organization. Federal Acquisition Regulation (FAR) section 52.215-2, Audit and Records,\n         requires that contracts for cloud computing include a clause related to granting the OIG access\n         and the right to examine any of the directly pertinent records involving transactions related to\n         the contract. Further, best practices for creating effective cloud computing contracts in the\n         federal government stipulate that penalties for noncompliance with contract and service\n         agreement terms, as well as procedures for e-discovery and forensic investigations, should be\n         outlined in the contract or the SLA between the agency and the CSP.4\n\n         We found that the CFPB\xe2\x80\x99s contracts for cloud computing services with Amazon.com and\n         Deloitte included specific clauses covering roles and responsibilities, information security\n         requirements, and service-level expectations. We also found that the CFPB has established a\n         process to monitor both contractual and service-level requirements for its CSPs and that the\n         agency collects and maintains nondisclosure agreements from contractor personnel to protect\n         sensitive information. However, as highlighted in table 2, we identified that the contracts and\n         SLAs for both AWS and CAT did not include clauses covering (1) the conduct of forensic\n         investigations for criminal and noncriminal purposes and (2) procedures for e-discovery when\n         conducting a criminal investigation. Additionally, we found that the CAT contract did not\n         include FAR clause 52.215-2 related to granting the OIG access to contractor records or include\n         clauses specifying penalties levied on the CSP for noncompliance with contract or SLAs.\n\n\n\n\n4.   See CIO Council and Chief Acquisition Officers Council, in coordination with the Federal Cloud Compliance Committee,\n     Creating Effective Cloud Computing Contracts for the Federal Government: Best Practices for Acquiring IT as a Service,\n     February 24, 2012, https://cio.gov/wp-content/uploads/downloads/2012/09/cloudbestpractices.pdf.\n\n\n\n2014-IT-C-016                                                                                                          6\n\x0cTable 2: Select Best Practice Contract and SLA Clauses for AWS and CAT\n                                                                       Included in\n                                                                                      Included in CAT\nContract /SLA clauses                                                  AWS contract\n                                                                                      contract or SLA?\n                                                                       or SLA?\nFAR 52-203-13\xe2\x80\x94Contractors to fully cooperate by disclosing\n                                                                         Yes               Yes\nsufficient information for law enforcement purposes\nFAR 52-239-1\xe2\x80\x94Agency access to the CSP's facilities                       Yes               Yes\nCloud Best Practices\xe2\x80\x94Allowing the CSP to only make changes to\nthe cloud environment under specific standard operating procedures       Yes               Yes\nagreed to by the CSP and the federal agency in the contract\nFAR 52-215-2/Cloud Best Practices\xe2\x80\x94OIG access to the contractor's\nfacilities, installations, operations, documentation, databases, and     Yes               No\npersonnel\nCloud Best Practices\xe2\x80\x94Penalties for noncompliance with contract\n                                                                         Yes               No\nand SLA\n\nCloud Best Practices\xe2\x80\x94Contract includes procedures for agencies to\n                                                                          No               No\nconduct forensic investigations\nCloud Best Practices\xe2\x80\x94Addressing procedures for e-discovery when\n                                                                          No               No\nconducting a criminal investigation\nSource: OIG analysis of the CFPB\xe2\x80\x99s AWS and CAT contracts.\n\n\n\n         CFPB officials informed us that the guidance used to develop the AWS and CAT contracts and\n         SLAs did not include references to FAR clause 52.215-2 or the best practice clauses that we\n         found to be missing. By ensuing that these clauses are included in cloud computing contracts\n         and SLAs, the CFPB will have greater assurance that it will have timely access to agency\n         information hosted in the cloud and be able to hold CSPs accountable for noncompliance with\n         contract and SLAs.\n\n\n\nRecommendations\n         We recommend that the Chief Information Officer\n\n              2. Assess the costs and benefits of negotiating post-award agreements with Amazon.com\n                 and Deloitte to include clauses for Inspector General information access, the conduct of\n                 forensic investigations and e-discovery, and penalties for noncompliance with contract\n                 and SLA terms, as appropriate.\n\n              3. Ensure that the guidance used to develop contracts and SLAs with CSPs references\n                 FAR requirements and best practice contract clauses for information access, conduct of\n                 forensic investigations and e-discovery, and penalties for noncompliance, as\n                 appropriate.\n\n              4. Ensure that future CFPB contracts for cloud computing services include FAR\n                 requirements and best practice clauses for information access, the conduct of forensic\n                 investigations and e-discovery, and the assessment of penalties for noncompliance with\n                 contract and SLA terms.\n\n\n\n2014-IT-C-016                                                                                            7\n\x0cManagement\xe2\x80\x99s Response\n\n       The Chief Information Officer concurs with recommendation 2 and is undertaking steps to\n       assess the feasibility, as well as cost-benefit and trade-off analyses, for the existing contracts\n       with both Amazon.com and Deloitte and, where appropriate, to execute post-award agreements\n       to help increase assurances that the OIG has timely access to information hosted in these CSPs,\n       and that government interests are protected appropriately.\n\n       The Chief Information Officer concurs with recommendation 3. Inclusion of standardized FAR\n       clauses, requirements for information access in support of audit and assessments, and penalties\n       for less-than-compliant contract execution on the part of the CSPs, are all matters that are in\n       scope for the CFPB\xe2\x80\x99s ongoing supply chain guidance maturation goals and improvement\n       processes.\n\n       The Chief Information Officer concurs with recommendation 4 and plans to develop a more\n       robust repertoire of cloud service acquisition terms and conditions.\n\n\n\nOIG Comment\n       In our opinion, the actions described by the Chief Information Officer are responsive to our\n       recommendation. We plan to follow up on the actions to ensure that the recommendation is\n       fully addressed.\n\n\n\n\n2014-IT-C-016                                                                                         8\n\x0cAppendix A\nScope and Methodology\n\n\n       In January 2014, CIGIE initiated a government-wide review of select agencies\xe2\x80\x99 efforts to adopt\n       cloud computing technologies. The initiative focused on reviewing cloud computing contracts\n       for inclusion of specific clauses and the agencies\xe2\x80\x99 efforts to monitor the performance of CSPs.\n       In support of the CIGIE initiative, our objective was to review the CFPB\xe2\x80\x99s acquisition and\n       contract management for AWS and CAT to determine whether requirements for security,\n       service levels, and access to records were appropriately planned for, defined in contracts, and\n       being monitored.\n\n       To accomplish our audit objective, we developed an inventory of cloud computing\xe2\x80\x93based\n       systems by surveying CFPB officials responsible for the procurement, maintenance, and\n       monitoring of the agency\xe2\x80\x99s cloud contracts. To perform our assessment, we judgmentally\n       selected the AWS and CAT cloud computing\xe2\x80\x93based systems based on their respective service\n       models, contract lengths, total contract values, and associated risk categorizations. To perform\n       our review, we analyzed the AWS and CAT contracts, SLAs, and security documentation.\n       Further, we interviewed managers and staff at the CFPB, as well as contracting officers at\n       Treasury who were responsible for the development of the AWS and CAT contracts.\n\n       We performed our fieldwork from February 2014 through June 2014. We conducted this\n       performance audit in accordance with generally accepted government auditing standards. Those\n       standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to\n       provide a reasonable basis for our findings and conclusions based on our audit objectives. We\n       believe that the evidence obtained provides a reasonable basis for our findings and conclusions\n       based on our audit objectives.\n\n\n\n\n2014-IT-C-016                                                                                        9\n\x0cAppendix B\nManagement\xe2\x80\x99s Response\n\n\n\n\n2014-IT-C-016           10\n\x0c2014-IT-C-016   11\n\x0c2014-IT-C-016   12\n\x0c2014-IT-C-016   13\n\x0c\x0c"